Esc

Domain Account - T1087.002

(ATT&CK® Technique)

Definition

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1087002["Domain Account"] --> |enumerates| DomainUserAccount["Domain User Account"]; class T1087002 OffensiveTechniqueNode;
        class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
        click T1087002 href "/offensive-technique/attack/T1087.002/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";             RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | DomainUserAccount["Domain User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | may-restore | T1087002["Domain Account"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | DomainUserAccount["Domain User Account"];

          AgentAuthentication["Agent Authentication"] -.->
            | may-harden | T1087002["Domain Account"] ;
          class AgentAuthentication DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication"; UnlockAccount["Unlock Account"] -->
          | restores | DomainUserAccount["Domain User Account"];

          UnlockAccount["Unlock Account"] -.->
            | may-restore | T1087002["Domain Account"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";                                                    DomainAccountMonitoring["Domain Account Monitoring"] -->
          | monitors | DomainUserAccount["Domain User Account"];

          DomainAccountMonitoring["Domain Account Monitoring"] -.->
            | may-detect | T1087002["Domain Account"] ;
          class DomainAccountMonitoring DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; AccountLocking["Account Locking"] -->
          | disables | DomainUserAccount["Domain User Account"];

          AccountLocking["Account Locking"] -.->
            | may-evict | T1087002["Domain Account"] ;
          class AccountLocking DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | DomainUserAccount["Domain User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | may-isolate | T1087002["Domain Account"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";

json